Jeff McJunkin Profile picture
Started in ops and blue, now I hack for a living. SANS author/instructor in Oregon. Founder: https://t.co/c36tmCG20T. He/him. @jeffmcjunkin@infosec.exchange
Mar 7 15 tweets 7 min read
Wow, this article was a fun rabbit hole:



In viewing , I then saw a reference to a scanned document named Chasebank_statement_feb.zip.

Inside, I found a simple LNK. What to?

🧵 (1/15)vin01.github.io/piptagole/secu…
urlscan.io
sites.google.com The LNK file pointed to the local copy of cmd.exe, of course!

(Amusingly abuse of LNK files to cmd.exe or powershell.exe is some of the latest material inside , but I digress)

What does that base64-encoded data come back to? Next up, CyberChef! sans.org/sec560
Image
Dec 27, 2020 14 tweets 5 min read
Here's a threat on some overpowered technologies to slow down attackers that you can implement _now_.

First, re-implement LAPS (microsoft.com/en-us/download…) at your peril.

1/14 Every time I've seen companies roll their own implementation, it's resulted in _any_ compromised workstation being able to retrieve _all_ local Administrator passwords.

Just use LAPS.

2/14
Dec 11, 2018 30 tweets 13 min read
Attending @_wald0 and @CptJesus's webcast now: register.gotowebinar.com/register/50128…. Live-tweeting as follows [1/n] Andy just gave props to MS Research: alicezheng.org/papers/sosp200…, @PyroTek3 (adsecurity.org), and @harmj0y (github.com/PowerShellMafi…). Great stuff! [2/n]